W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Misconceptions about the GSS-API

From: Nico Williams <nico@cryptonector.com>
Date: Fri, 13 Jul 2012 16:20:44 -0500
Message-ID: <CAK3OfOio4HCRkV+dcxFG8-D646mmSPjvDBBfL2NGfe=Lsj1F6w@mail.gmail.com>
To: Poul-Henning Kamp <phk@phk.freebsd.dk>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
On Fri, Jul 13, 2012 at 4:11 PM, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote:
> In message <CAK3OfOh7P1pdf91UFA8xj6nxj+c0__Bg11HZHy83mAbbBwFmgg@mail.gmail.com>
> , Nico Williams writes:
> You seem to overlook half of my argument:  It is both a matter of
> API design *AND* lugging around tons of unnecessary code.

Who said you have to?  You don't even need to use the GSS-API itself
to access GSS mechanisms.

I'm using the GSS-API in REST-GSS not because I expect apps to "lug
around" complete GSS implementations, but because it helps produce a
more formal specification.  I'm using the *abstract* API.
Implementors are free to not use the API at all yet still interop.

>>> Crypto for HTTP/2.0 should be specified in a way which is very hard
>>> to do wrong, not very hard to do right.
>>I agree violently.
> So lets start from there, if we ever get a chance.

See the above.

Received on Friday, 13 July 2012 21:21:07 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:04 UTC